[ 07/48] ALSA: control: Make sure that id->index does not

From: Willy Tarreau
Date: Sun Nov 16 2014 - 17:13:51 EST

2.6.32-longterm review patch. If anyone has any objections, please let me know.


From: Lars-Peter Clausen <lars@xxxxxxxxxx>

The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.

Signed-off-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
Acked-by: Jaroslav Kysela <perex@xxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
(cherry picked from commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e)
[wt: part 1 of CVE-2014-4656 fix]
Signed-off-by: Willy Tarreau <w@xxxxxx>
sound/core/control.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 7834a54..80bb3ed 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -328,6 +328,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
if (snd_BUG_ON(!card || !kcontrol->info))
goto error;
id = kcontrol->id;
+ if (id.index > UINT_MAX - kcontrol->count)
+ goto error;
if (snd_ctl_find_id(card, &id)) {

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/